Analysis
-
max time kernel
148s -
max time network
149s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
05/02/2025, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
Resource
android-x64-20240910-en
General
-
Target
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9.apk
-
Size
4.1MB
-
MD5
45b5377f3a42484d5391af34ad47785c
-
SHA1
8fb49e59b8e025a70be935ad0a720a677ca1031d
-
SHA256
69ae5079f26908ff840960dc5bea1d055d3b1bd78318102a4e64b605ee7e4ff9
-
SHA512
e22e285dc0b4739d191f3be9e339e7076af02e0f907cbebb0d7fb7c7584f7c741e7b8ff3c7993bd4672d0308a7f82ff41137fbbf4e4c6fc5fb5cf7611c01f034
-
SSDEEP
49152:ygmPDdoPGRo5X3meyRZJyYVza3qc65Kt6u7wpymvMfVVW9BX5pgtflZMekqeDj0V:WD6hbYZkLjtB7fTg7gdlVkXjvYCZAz9F
Malware Config
Extracted
androrat
3.6.98.232:18443
Signatures
-
AndroRAT
AndroRAT is an open source Android remote administration tool.
-
Androrat family
-
pid Process 5066 com.tencent.mm 5066 com.tencent.mm 5066 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5066 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5066 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5066 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.manager-v1.rizal.xml 5066 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.calendar/events com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5066
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5c8f6ba71cea84260cb55fd11ad2d0c4a
SHA1d1f1e7e20a168047729d1c959de13401707a5691
SHA256fb799b0b47b3404aa43a4fd4a6b43d7d8367a58dae8d25ec2d331d9005f8d867
SHA51266485f9c9adc1f8514773d14103b62488e3b9ab05a4dac322f17d51641924589b2eee3c46cb67673b0053bc3f3e3de3c013ddc3d2603e0445349867a51e8d774
-
Filesize
32KB
MD50ec8d5e24581e56eb01c45155efe2049
SHA14de2aebc5e22d0420e54cb553c2739e50481e50a
SHA2565bb1fd7e82a28019975971aae5f49b0eb2ddef4a943663b654ede402d2f7f616
SHA51223f87b81f1b49b80a88b1eab7d5e08e7001486b135bedc434601eed4ab74b72804ae4f907ede18213454dfa9da7058692b012861170306adbe6b12650dd51fd4
-
Filesize
8KB
MD5de90e60f799590f6b8fb5a973242d5e4
SHA1464d95077a0c20e8f1abd0542cef67cb902d998e
SHA256bee05e87fd6ccaed3982cf9adcceddbe9a810cab817d0447faf031ccb1a68f4c
SHA512159ccb21c68292a85b099ebdd96287731e25b1ad792554ca652990c054ee7fdc3e510384b89698d26570b6834e34a101ece97ee7a465c2b876ffd6fdbe853c7b
-
Filesize
512B
MD5aa437c0dd4178529cc22de4fd348b40f
SHA1854f1583cb4323f159dacdd7630aa885fe0ecb38
SHA2568a1c872c26b8de8ad45b1c15e59b4180a1c6758d6a967c3513d2ca9c158d7a42
SHA5120a9c4745cd4f0ea2a4976dcdd0954cfc7b147391900bddcc0dda3ccec63874fbd375677663ed967efadaf2c0dce514febaca73629edbe52a941cb9580244877a
-
Filesize
8KB
MD5ce3392492c50810730d1fbe2465f8fe7
SHA1ec6d76600a8a036132359ae82cbe826bfec27c48
SHA2566775accd10ab252d246d00032e26a3fcb91421f625870e56f3f842510757942f
SHA51204aff33d3e1f783ce8fad44377c61b8b5a264bbf8c68fc280a7e1fb16f16308946e4507dcd8e58f46b8988c0c1076dfa7c327d68b1b5c3a78e4db999858e1e67
-
Filesize
8KB
MD539c751bf6df5412a761653274ae894a9
SHA1b3c92e5ad43374446482b9803e3153da844702c7
SHA256d78336de1272365c567fab8ffab4317276f2a487287183315e28f6da7d2112f5
SHA512400315ea250e1954003da7197845a8ace0027ecdd3416607000ec9c5a6e7c6953916e71f6524110ad716d65bc8452c4944a0a0b26f65d9f1989b1d8d5237fb0b
-
Filesize
8KB
MD5e247149e6f7a5ff0545c69aa289f6f31
SHA1f8880f5f1cf4f12b6897f0e1f56e8847fa52d2df
SHA2562af53e4669c4a2f1d19f7240e361141a66bb2688241d5692a5acba0de11774aa
SHA512aee45a51ce990c82eb3dc77f209ae28b2ff9ffbfdba0569b9d653ce28472f5d1b74b2e73cf8de133bd25cde5c54f5faaa3dce3331ec3bfe1cdf7037e4f9a182d
-
Filesize
16KB
MD512627a2ec645c4a4bc50dba5903afd59
SHA1504005c938517e61bcf68b65a055c2faba635c2e
SHA256f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA5127ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd
-
Filesize
512B
MD524b080d39fbd9ca7b8382586b11f3179
SHA10ec0e925e34c066a615941400754d9a35785a4b9
SHA256c225d281a552e99b6cd0d7696e3c385a2700142bb8b5c8a6d8984d2f6f932b0a
SHA512b0c27e6b4787987e1adc9b37bd4626fed595d9bbc84dfd822e936900e1339bcefafaa91625ad4370b70876ad3af2fa72e46fc262c82a06eac6b17ffc29b69711
-
Filesize
8KB
MD577ac2978c9391e15dcb31ea5283af63e
SHA11429527405b2c45c57ab44f5a8061687a3905e86
SHA2560797fd5f11f7e8065106bc1e486a1c6d4d82212ea372f9fef3550ba19951e2a9
SHA512e101c9506ee056c338d1b7c44b4d1c5c958848f8a41dc65db8a0d6c02e826c4978a02efce7fc0cb5b547b2af64d34a296e518c9129a739a7634ea8688001e214
-
Filesize
8KB
MD5a6d450739cf952d2c51a53181d8119f1
SHA133962f750a5cd5e353900fd05e7ec99ec6d5352e
SHA2561967d4c05462952074c7d8bf4e890536a834cc2b51cbbd661a31bea9840ba394
SHA5120022cd44210d8ffc3b49902c6af13fa85a355931cd1506767b5b40f20bea9254a1f1e0cd1817f3de39d6e73af226d9e27d48e58e4623f8e65079355bef215d8d
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
108B
MD57fa37a95fb8a7cdf37261052377c4bd1
SHA18b373eca86f3e74c4237a04be3355d3df4b8d7ac
SHA256135b87ebac375afca9390e07cca88b6c784f44ac83b6463647d67e6188e127b5
SHA512c0aab0f489c8b9fa54cc07ce107feb3e9b89d131f37563b355bf4cfa4f8eb286920d3244030c46485d43c4ae8502e83ce186857e734d2cf69521bf238f7401b1
-
Filesize
126B
MD532a0f44bbe54c34e4866f3565176aeb4
SHA1c61024bf7c89f2b3511953c23bdd53a68907dd16
SHA256b812607dc0cd7f9dfebcbc3dd4cf721e9482432e7ffe4a07f101df634f37193b
SHA512be0db5dd1b87df1491da63e77ac85f4c06e837e13f2106cbbe7ab657fbc302fce1c9620ffd8e3c9339affc106814d72f8487de28f995a7c7a9e102a9972b538a
-
Filesize
108B
MD5305128bd6ef70274c8a77ca6388cb841
SHA19abcb5131e13b119b8bbf8c08f5734cd7d861b11
SHA2560ac372970d8df4b0214e0a08076eda67fb8d2f4ed848961b8e3225b861215504
SHA5121c8333cd05e4bec359a4ef69df118a829a7251fbd050c6c058dc5836163d005861ec1b6a8e136cb6965ba61c1fa9d888113585f33234471d2a408ca5bd52e3cb
-
Filesize
126B
MD57997fd153a06b076a749e905e23320d3
SHA1c41cf98035cdb441dc39f5b410b1edfff92ea413
SHA256225f7fe401cb9aea4bf1dc27846120e2ec1bbdf76bb7530e27426883acc25d57
SHA5127cbfb5eae465204b31959671732d574c19a3c10bd803ea13d7af4bb705280fa5c88610f1828b53fefc8eac0944c2dae773150948e3df25e18db9aa9e7d2cc437
-
Filesize
108B
MD5361b86ff06a47d08950ae3b67c30bc3d
SHA10d238794a5d38d68b2de9d4051598478ab65dd5c
SHA256ac540d1fc1bc8d6523542c40d1157a717c60155368dd64840e4c571bdaae50fe
SHA512c370c9b1e83c3b596345d46415428ae4d84d0218291bd9cf21e2b5ccf43a8a085ed699a44c33f16031366dc8522961c4ff0846b4ddb1a89e859bb831fa949bb3
-
Filesize
126B
MD5a24b437441ce6818d2ab866ee8f99a8e
SHA1b0fb88d2a251f777560bfab33213bc4e943e52d5
SHA25671461e7b7bf0166edc84a97bef2bc004ac4d528b4099589535f0343dde09a421
SHA5127accdda0708177a385f1aacb996b777e978b8b0ff48bc8feeebe833197bd783a1cf765872608bf125d62030b09c77c77e795fcb2327ac6defca37eb87c405af7
-
Filesize
426B
MD59dbfacf57ccad741b2743e5ad0ed9f68
SHA19e9ac8c6f4f9455ec76ce00f593e54e86bf7ad52
SHA256c8269ff9b4733ef3b3222a7e7b38649b12ce3d5048b77605989ddd4853872a5f
SHA512f64f2cd6f8d3e55de042f83e6982ff1e29a759293dbbf380f7f4d17eaeb065515f801b8fb80977e4a003f7f0c9e713789ef4ab95c23898cfbe3ae9ae8a4be30e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
827B
MD52506b2a539e431d6861e21f0c91120ab
SHA169cc28620ed562fecc583e4ac5c5cc9fed6ba271
SHA2569601e3e35a9b0a62fb3f50fd29450af6a849f78a81768678de43a0bdae50b46e
SHA51258eb41ff7268d8a477841060cd2c729571eda8d05ca4599830ef3a0d3665fe8c4287693834f05a95652cbe674d748172d5471480e7204cd9290735f21c11bc51
-
Filesize
827B
MD5a7662e7d10e1d475191582bef1de1412
SHA1f742b8847b0dbfc9fe3a932d6f44b26f04e16bb1
SHA2560582335768fbb77a3ccf3c6024ba8da216e641fd4481687108db759d523ff0d4
SHA51283f704a0827de1d4c4fd933e2b323edbb62934f8cf0ab72f2a3687fa9adf3b8b34837960ca6a4a3c75ed0e8e450f3442d8f9e2fdb00c40495d49c18e4d5ad9ac
-
Filesize
9KB
MD582934c9a9c0a2d625f2c13b1a5229ce1
SHA1030c58a2977c60cf8459fef8f71b0f33126989df
SHA2562feb853d787d84c09acf63a6f4a16d133cc45c4594418a1f7ca468eb3220a6c8
SHA51283fec3872eb514350cec0fcc2dd02aa069a9cc469943d4a09d6c915ffcf16b4da243f44fc3d191989e3bc30333ce5a00222a28548aac69770aca57d53fce2f3c
-
Filesize
3.0MB
MD5816ff97c55fa609561bd900657ad5431
SHA1c11f5860337170602824e4c4dc11aac011eb5082
SHA256cedb29b3dff81aa6652eebd774a501452b16547b627939405f5fb74da849bd09
SHA512841bfc69e1cf7508b120d3b17f63590ad8c7ff656615c182b53258783a266893f38239916b3f4d2b4f977aede3f6ce7cfc34881fc2fb37f43ed1bfde838c7b16
-
Filesize
8B
MD55bef64cc7650cce5b95c17f2f7de0d41
SHA1cf282932713ecb4bc4975f3a43185a598338a2c2
SHA2565f9da690e712f4cc30ec9888f166676b677beb32a3c67b614b3c5f33d083022a
SHA51242a2305c9af3281c190b8305333f5da30d82efaf10389319ffe35f154a1e258b065df4114eef1d47da0eaa50ec874538747aae5b778c679a094ab1dc157c0586
-
Filesize
12B
MD5e48057c3603c907cacbe1568a7dbfc41
SHA16e100086b53e20e499a9be069aa1b452faf82ba3
SHA2564b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a